DSci29: Security and Privacy in Informatics

USC Data Science Program 529 (DSci 529): Security and Privacy in Informatics - Spring 2021

Lecture Friday - Noon to 3:20PM PM
Clifford Neuman

Current Events for February 5 2021

Privacy and Tellecommunication Providers

ATT sells location data to bounty hunters! - Joseph Cox, Vice January 8 2019

Mobile carrier providers operate an infrastructure that keeps users connected to the internet regardless of movement in time and space. This service is partly achieved by tracking location in relation to cell tower infrastructure through signal strength, triangulation, and other techniques. Oddly, some of these providers sell this time stamped location data to interested parties for profit, including to bounty hunters. – Francisco Ventura (submitted last week) Customer data stolen in hack targeting UScellular - Duncan Riley, Silicon Angle, 31st January 2021

United States Cellular Corp., the country’s fourth-largest wireless carrier, has been hacked with customer information stolen. The hacking happened with a combination of social engineering and trojan horse method. - Nana Andriana

Government Use of Data

Intelligence Analysts Use U.S. Smartphone Location Data Without Warrants, Memo Says By Charlie Savage, New York Times, 01/21/2020

Government agencies are required to obtain a warrant to get access to the customer locations from phone companies. The government agencies use a loophole in privacy law and purchase aggregated location information from brokers. The Defense Intelligence Agency has been buying aggregated location information from brokers and have searched for locations of Americans five times in the last two and a half years. - Arzu Karaer Intelligence Analysts Use U.S. Smartphone Location Data Without Warrants, Memo Says -Charlie Savage, New York Times Digital Privacy Jan.22, 2021

DIA analysts have been using smartphone location data for investigation without warrants. The data was commercially available and bought from brokers. This indicates a loophole in a previous ruling in 2018 that says 'the government needs to obtain a warrant to compel phone companies to turn over location data about their customers.' -Gan Xin Intelligence Analysts Use U.S. Smartphone Location Data Without Warrants - Charlie Savage, New York Times, 1/22/2021

As per a memo obtained by the NYT, Defense Intelligence members have been able to comercially buy databases containing location data of American smartphone app users and track movements without a warrant. This indicates a massive loophole in a 2018 ruling by the Supreme Court that mandated the government to obtain a warrant before phone companies could turn their data over about their customers, as the government seeks out third-party brokers, for which they do not need a warrant. – Tanmay Ghai California legislation targets police use of license plate readers - Kari Paul, The Guardian January 12th, 2021

As we talked in class, USC uses Automated License Plate Reader (ALPRs) to collect large amounts of data and track real movement of people entering the campus and leaving the campus. This is very interesting since California is one of the states of which the police department uses ALPRs as well as USC. This collects a lot of data but is only related to a fraction of actual crime. — Saurabh Jain

Malicious Software

New Malware Raindrop Discovered - Ravie Lakshmanan, The Hacker News, 1-19-2021

This is the fourth malware strain to be discovered linked to the Solar Winds supply chain attack. It is shellcode only with an AES encrypted payload that is stored at predetermined locations within the machine code. The malware appears to be of Russian origin, and is used throughout the network to allow attackers to move laterally across the network and deploy payloads on other devices. - Vartan Batmazyan (submitted last week) Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions - Ravie Lakshmanan, The Hacker News, 2-3-2021

Called CacheFlow by Avast, these extensions in question leveraged the Cache-Control HTTP header in order to pull commands from a remote malicious server and execute on the host device.While specifically designed to not affect victims that the extension evaluated to be web developers and to not exhibit any strange behavior in the first three days post installation, on average victims they used the CacheFlow exploit to retrieve users' birthdays from https://myaccount.google.com/birthday as well as inject javascript into browser tabs to redirect users clicking on legitimate sites to potentially malicious ones. The extensions have been removed from the official extension store since 12-18-2020 despite there being evidence suggesting that the extensions might have been active since October of 2017. -Vartan Batmazyan DDoS attacks leverage Plex media server - Joe Uchill - SC Media 02/04/2021

Recently, the Plex media server was under a spate of distributed denial-of-service (DDoS) attacks. It uses a universal plug and play (UPnP), which relies on the simple service discovery protocol (SSDP) to allow systems on the same network to seek each other and share files. However, attackers can leverage exposed SSDP to conduct attacks. Thus, Plex has been suggested that the servers could use architectures like central directory service other than UPnP to increase the security with similar functionality. - Ye Zeng

Nation State Activities

New campaign targeting security researchers - Adam Weidemann, Google Threat Analysis Group, January 25, 2021

North Korean campaign to target security researchers on Twitter, Discord, and other social media platforms. Threat actors built security research blogs and created fake videos to post on Twitter for credibility. They would then contact security researchers to "collaborate" with them on an exploit or a project they were "working on". In some cases, VS project files would be provided that would contain malware. In other cases, following a link on Twitter to their blog would lead to a malicious service being installed on the targeted’s system with a backdoor. - Jonathan De Leon Briden Cracks Down on Russia - Cyber Scoop 02/4/2021

After 2016, the Russians have been implicated frequently for meddling in American affairs through cyber attacks. Biden has pledged to be more strict in cyberspace, and no longer "roll over" to attacks from the Russians. No major policies have been set in stone, but Biden confronted Putin via telephone within the past weeks. - Griffin Weinhold

The Executive Branch and US Government Policy

The Peloton Problem, The Guardian 01/21/2021

Like plenty of Americans, the new president of the free world likes to get his cardio in on his Peloton. US officials worry this poses a significant security threat to the White House since Peloton is not a closed system, and connects to the internet despite stalwart firewalls. On top of overall internet access, the microphone and video integration within Peloton possesses a further risk. - Griffin Weinhold (submitted last week) Americans Won’t Be Banned From Investing in Alibaba, Tencent and Baidu - Jing Yang, Dawn Lim and Gordon Lubold - Wall Street Journal 1/13/2021

The US government is allowing Americans to continue investing in Chinese companies Alibaba, Tencent, and Baidu, after considerations to blacklist the companies over national security concerns. Previously, these companies were included in a list of firms alleged, by the Department of Defense, of supporting China's military, intelligence, and security services. However, with their combined 1.4 trillion market cap, it was decided that the economic fallout of such divestment weighed greater than the risks posed by the companies' alleged involvement with the chinese military -- Philana Williams (submitted last week) Limiting Access to Sensitive Government Information - Lara Seligman and Bryan Bender, Politico, 1/20/2020

As the executive branch changes this week, more details have been released as to the extent of the efforts to limit the incoming administration to sensitive information. The topics withheld include but are not limited to; the Solarwinds Hack, troop drawdown in Afghanistan, the Covid vaccine development plan (called Operation Warp Speed), covert operations in Africa, withdrawal of troops in Somalia, budgetary requests, and a deal with United Arab Emirates for the F-35 fighter jet. It is unclear what damage this lack of access to information will have on homeland security. – Emily Christiansen (submitted last week)

Facebook

WhatsApp Has Shared Your Data With Facebook for Years, Actually - Lily Hay Newman, Wired 1/8/2021

WhatsApp updated its terms of use and privacy policy, and notified users by sending pop-ups for them to accept. Part of the update was users could choose to not share certain information with Facebook. Users worried about how much data would flow between WhatsApp and Facebook since Facebook acquired WhatsApp in 2014. WhatsApp started sharing information and metadata with Facebook after WhatsApp updated its privacy policy in August 2016. – Tian Yang

Google

Google announces plan to tackle privacy issues in online advertising - Alex Hern, The Guardian 01/25/2021

Google will soon begin experiments in Chrome on its new “privacy sandbox” to find a middle ground between blocking all potential surveillance and the needs of advertisers. The new approach manages to use AI and a “trusted server” to let advertisers target ads without the vast surveillance ecosystem. A major difficulty for this approach is to ensure that the ads industry is not circumventing true user privacy. – Haonan Xu chrome cookie update advertisers google - Matt Burgess - 02/03/2021

Google Chrome is making plans to remove all third party cookies, by 2022, in light of growing security and privacy concerns. As an alternative, Google is planning on sending targeted ads using its own AI system called Federated Learning of Cohorts (FLoC). The new system would use web browsing history, and other data points owned by Google to classify users based on their interests. However, critics of the change say that Google risks putting smaller ad firms, and websites that rely on ads out of business, all while reaping the benefits of a larger market of the web advertisement business. -- Philana Williams Google says it may have found a privacy-friendly substitute to cookies - Sara Fischer, AXIOS 1/25/21

The story explains Google has been testing a new API called FLoC to replace third-party cookies. FLoC will use first-party data, or data uploaded to a site directly from the user to target ads instead so that the privacy of users can be protected and privacy concerns will be decreased. - Yi Jin Google says Chrome cookie replacement plan making progress - Author(Via AP news wire), Source(INDEPENDENT) 01/25/2021

Third-party cookies have been a longtime source of privacy concerns. A year ago, Google said that it would do away with them. Few days ago, Google says they have updated its work progress and will delete so-called third-party cookies from the Chrome browser which are used by a website's advertisers or partners and can be used to track a user's internet browsing habits. The new technology will eliminate “individual identifiers" and instead groups users into large demographic flocks.

Supply Chain Subversion

Data security depends on a secure software-development supply chain - Author: Santiago Torres-Arias, Source: Venture Beat, Date: January 24, 2021

Other

How to Identity Proof in an Increasingly Virtualized World - Jonathan McDonald, Entrepreneur January 28, 2021

Businesses are improving identity techniques to keep balance between security and accessibility, so that users can access their services without burdensome steps, but hackings can be detected and prevented. Several digital footprints are involved into intelligence analysis to draw a more complete picture bring more confidence for identity proof. Risks, however, still exist, as fraudsters are innovating hack techniques, and more data are being collected and in risk of exposure. – Lingyu Ge The controversial company using DNA to sketch the faces of criminals -Carrie Arnold, Nature 9/9/20

The article shows how DNA is used to solve cases involving serious violent crimes and why people have raised concern over the balance between using DNA databases against crime and privacy issues. It also covers the future of forensic genetic genealogy. CES2021: Raising the Bar on Privacy and Trust Online in 2021 -James Coker, INFO Security,Jan. 28th 2021

On the Consumer Electronics Show (CES) 2021, a message of rasing the bar on privacy of those tech companies' online services was brought up due to more customers were using their products for very important interactions. Many Tech companies claimed that they have a duty to help users feel safe online when using their products, and also including transparent privacy controls and data protection rules. In addition. those collections towards user's private datas for artificial intelligence and machine learning purposes were brought up to be concerned. –Zixin Zheng Tik Tok bug gave access to contact's profile details - Author(Phil Muncaster), Source(Info Security Magazine) Date: 26 Jan 2021

A bug in Tik Tok's find a friend feature was found which allows an attacker to get details to all contacts in a victim's phone book Since user's sync their phone numbers with their account this allows attackers to bypass https messaging to sign in An attacker could use this to get private sensitive information and use it for malicious purposes such as phising.

The Pandemic and Privacy

Proposed Bill to Protect Health Related Data - Anuja Vaidya, MedCity News February 2, 2021

One of the main ways that the government has tried to control the spread of COVID-19 is by using technology. Because of this, there has been a large increase in health and medical data recorded for citizens. To ensure that this data is not misused and that an individuals privacy is protected, Democrats have proposed the Public Health Emerging Privacy Act to ensure that companies don't misuse this data for marketing and that the data is prevent from landing in the wrong hands. – Addison Allred The Better Business Bureau is warning people not to post their Covid-19 vaccination cards on social media - Alaa Elassar, CNN 2.1, 2021

The Better Business Bureau warns people do not share their covid-19 vaccine cards because they may give their personal info away. Another issue is that it provides convenience to scammers to create imitation cards to sell. The BBB suggests to share vaccine stickers instead of vaccine cards. – Bolong Pan

Privacy Regulation and other Government Regulation

CCPA: Privacy Notices & Access Requests - David A. Zetoony - National Law Review Jan 29, 2020

While CCPA(California Consumer Privacy Act) allows consumers to "institute a civil action" for unauthorised access to their personal information, it does not provide a right of action. CPRA(California Privacy Rights Act), which is based on CCPA, uses the term “right to know” and “right to access” synonymously. A customer can submit request of specific information, which urges companies to give more detailed information than category-level, which was the case before. – Zihuan Ran Banks and fintechs battle over financial data - Tomio Geron, Protocol, 4th February 2021

The Consumer Financial Protection Bureau is preparing to change its rules on financial data. In Section 1033 of the Dodd-Frank Act, the changes could have a major impact on how consumers can access and move their financial data between banks, fintechs and other companies — as well as which companies become consumers' go-to source for financial services. – Nana Andriana Singapore assessing WhatsApp privacy policy change, not 'adversely affected' in SolarWinds breach - Eileen Yu, By The Way 02/02/21

Singapore has yet to see any significant impacts from the SolarWinds security breach on its critical information infrastructures or government systems. But It is looking into concerns related to upcoming privacy policy changes on WhatsApp, which is amongst messaging platforms the government uses to push information to the local population. WhatsApp in recent weeks has begun pushing notifications to users about an update to its privacy statement. –Yixiang Cao Virginia Consumer Data Protection Act on the horizon — Now what? - Joseph Duball, IAPP, 4 February 2021

Virginia is set to be the next U.S. state with a comprehensive data privacy law, Consumer Data Protection Act (CDPA). The Senate Bill passed unanimously by the Virginia Senate on its first and second readings and is set for the final approval on Feb 5. The bill follows principles outlined in CCPA and GDPR such as threshold requirements, definition of personal data, individual rights for VA residents, and opt-out provisions. More interestingly, it includes a separate category called "sensitive data" which includes racial or ethnic origin, religious beliefs, biometric data, and geolocation that can only be processed with consent. If signed into law, it will go into effect the same day as CPRA (January 1, 2023). -- Jonathan De Leon Most are concerned about data privacy, but few are willing to change habits -Help Net Security, Feb 4, 2021

People are concerned more about their data privacy, especially during the pandemic. However, they are not protecting their personal information proactivity, some don't even read the terms and conditions. Many people, especially the younger generations, are willing to share their personal information for convenience. – Junbo Sheng

Facial Recognition and ALPR

Canadian authorities determine facial recognition firm violated privacy lawRyan Chiavetta, iapp, 02, 04, 2021

Canadian commissioners determined Clearview's collection of more than three billion images, millions of which belong to Canadians, took place without the knowledge or consent of citizens, and they also found that the company did not use and disclose the collected data properly. What the commissioners also found is the current slate of privacy laws in Canada are not sufficient to regulate facial recognition. The provincial commissioners said the Clearview situation shows their respective laws need improvements. -Yueming, Gao Clearview AI ruled illegal by Canadian privacy authorities - Zack Whittaker, techcrunch.com, February 3, 2021

Clearview AI is a New York-based startup company featuring advanced facial recognition technology and has faced backlash in the past for scraping social media websites without permission. Clearview AI has recently collected images of Canadians without permission and is claiming that Canada's privacy laws do not apply to them, and that the images were publicly available and did not need consent. Canadian authorities are seeking ways to hold Clearview AI accountable. – Danielle Sim Clearview's facial recognition tech is illegal mass surveillance - Kim Lyons, The Verge 04/02/2021

Clearview AI is a new research tool used by law enforcement agencies to identify perpetrators and victims of crimes. Canada says it inflicts broad-based harm on all members of society. It was found that the company had collected highly sensitive biometric information without consent – Sharad Narayan Sharma California legislation targets police use of license plate readers - Kari Paul, The Guardian, 1/12/21

This news explains automated license plate readers (ALPRs), a technology used to collect large amounts of data and track the real-time movement of hundreds of millions of people without a warrant. In many cases, police collect excessive amounts of information and sharing them with hundreds of other agencies, often without clear reasoning. Some think it violates people’s privacy, and we do not need a surveillance state in this country.. – Yansong Wang

Social Media and Other Apps and Privacy

Social media helps bring people together, but in this political climate it's tearing us apart Meghan Lopez, Denver 7, Feb 01, 2021 10:52 PM

To communicate with others, some people turn to social media, while others use the social networks to take a break from their everyday lives or vent their frustrations. Social media is now playing a part in politics more and more. The channels are now used by politicians, advocacy parties, policymakers, and more as a way to communicate with voters and spread their message. -Supreet Randhawa Instagram Bans Hundreds of Accounts With Stolen User Names - Taylor Lorenz, The New York Times, Feb. 4, 2021

Many O.G. usernames on Instagram are stolen by hacking, extortion, blackmail and harassment and been sold. Instagram is coordinating with Twitter and Tiktok to ban this users who are involved in stealing.– Congrui Li Social media expose 80 percent oversharing - Phil Muncaster Infosecurity Magazine 02/02/21

This news tells us about people exposing most of their information over social media making it easier for hackers to do social engineering. The readily available information on social media is being used to do phishing or online fraud. - Aziza Saulebay Grindr is fined $11.7 million under European privacy law. - Natasha Singer and Aaron Krolik, The New York Times, Jan. 25, 2021

Grindr has been fined by the Norwegian Data Protection Authority for sending location and tracking data to advertising companies without user consent. This not only violates European policy, but has dangerous implications for users in countries where homosexuality is illegal. The sanctions will hopefully emphasize the need for dating apps to acquire consent before sharing sensitive user information. - Brianna Heffernen Everything You Need To Know: Facebook Login, User Data And Privacy On Oculus Headsets - Author(HARRY BAKER), Source(UPLOAD) 01/31/2021

Facebook’s Oculus Quest 2 requires a Facebook login, and agreeing to Facebook’s terms of service for the device. Facebook confirmed that users' activity on an Oculus device, such as which apps users use, will be used to target “relevant content” to users, for example ads or Facebook events. -- Kaifan Lu

Apple

What We Learned From Apple’s New Privacy Labels - Brian X. Chen, New York Times，Jan. 27, 2021

APPLE store requires application manufacturers to list labels to indicate how the application will use the collected data to process customer information, which will also cause confusion for other applications. How to Read Apple’s Privacy Labels become important. – Jinglun Chen Apple and Facebook at odds over privacy move that will hit online ads - Alex Hern, theguardian.com, Jan 28, 2021

Apple decided to release a new feature called App Tracking Transparency(ATT) in "early spring". This will require apps to ask for users' permission in order to track them around the web. Facebook said Apple was pushing for "anti-personalized ads and will take the world back 10 or 20 years", they believe "ATT" will kill small businesses by preventing them from advertising to would-be customers. Also, Facebook targets a number of other features of IOS that are applied unfairly. A new set of "privacy nutrition labels" requires Facebook to list the types of data it collects while apps provided by Apple like iMessage do not display the same info. - Xihao Zhou